TCM Bank: website misconfiguration exposed applicant data for 16 months
6.8.18 securityaffairs Hacking
TCM Bank announced that a Web site misconfiguration exposed applicant data for 16 months, between early March 2017 and mid-July 18
TCM Bank, a subsidiary of ICBA Bancard, serves as a trusted advisor to community banks, it serves as a direct issuer of credit cards for more than 750 small and community U.S. banks who prefer not to issue cards themselves.
TCM Bank announced that a Web site misconfiguration exposed applicant data for 16 months, including names, addresses, dates of birth and Social Security numbers.
“In a letter being mailed to affected customers today, TCM said the information exposed was data that card applicants uploaded to a Web site managed by a third party vendor.” wrote the popular investigator Brian Krebs.
“TCM said it learned of the issue on July 16, 18, and had the problem fixed by the following day.”
Thousands of people who applied for cards between early March 2017 and mid-July 18 were affected by the incident.
The company notified the incident to the affected customers via email, data exposed belongs to card applicants uploaded to a Web site managed by a third party vendor.
The attorney Bruce Radke who is helping TCM confirmed that the number of affected customers is less than 10,000.
“It was less than 25 percent of the applications we processed during the relevant time period that were potentially affected, and less than one percent of our cardholder base was affected here,” Radke said.
“We’ve since confirmed the issue has been corrected, and we’re requiring the vendor to look at their technologies and procedures to detect and prevent similar issues going forward.”
Businesses have to carefully review the level of security implemented by their partners to avoid those third-party incidents could have a significant impact on their operations.
“Many companies that experience a data breach or data leak are quick to place blame for the incident on a third-party that mishandled sensitive information. Sometimes this blame is entirely warranted, but more often such claims ring hollow in the ears of those affected — particularly when they come from banks and security providers.” concludes Krebs.
“Managing third-party risk can be challenging, especially for organizations with hundreds or thousands of partners”